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(54) Computer system 

(57) A computer system, particularly for use in a motor vehicle, comprises at least two computing units (10, 20), wherein 
during putting of the system Into operation a reset pulse is produced by a first pulse-forming unit (42) and is fed to the 
computing units. Faulty operation of one of the computing units can be recognised by a mutual monitoring arrangement. 
The computer system also includes an additional pulse-forming unit (56) which, for one of the computing units, produces (by 
means of 62, 72) an independent reset pulse in order to ensure orderly putting into operation of the computer system. 
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COMPUTER SYSTEM 
The present Invention relates to a computer system. 
A computer system for the control of an operating parameter of 
an internal combustion engine of a motor vehicle is disclosed in DE-OS 
5 37 26 489. The computer system consists of two processors, which are 
connected by way of a line system for the exchange of data and control 
or check signals. For mutual monitoring of the two processors, each 
processor is equipped with a so-called watch-dog monitoring device which 
delivers check signals to the respective other computer, by means of 
10 which check signals the other computer can check the functional capability 
of the computer emitting the check signal. A further monitoring path 
in such a two-computer is formed by the transmission of data between 
the processors. The data transmission takes place cyclically in a fixed 
time raster and, in the absence of a data transmission or request from 
15 either or both computers, the respective other computer concludes that 
there is a functional fault and starts the faulty computer again by 
way of a reset pulse (warm start). When the computer system is placed 
in operation, an Initialising pulse (power on) common to both computers 
is produced and resets the two computers at the same time for initial is- 
20 ing (cold start). It is disadvantageous in an arrangement of that kind 
that the computer system cannot be taken into operation in an orderly 
manner when the initialising pulse or the circuit arrangement producing 
this pulse 1s faulty. When the computer system is serving for the control 
of functions critical for the safety of an internal combustion engine 
25 and/or a motor vehicle, the danger exists that a mode of engine or 

vehicle operation critical in terms of safety can arise in such a fault 
case. There is thus scope for improvement in the utilisation availability 
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of a computer system of that kind. 

A circuit arrangement for the production of an initialising or 
reset pulse is described in WO 88/05569. This circuit arrangement serves 
on the one hand for resetting of a computer system when first switched 
5 on (power on) and on the other hand for resetting of the computer system 
in the case of under-voltage, i.e. if the operating voltage falls below 
a preset value. The circuit arrangement also produces a reset signal 
which, in the case of a failure of a computer, is Issued by a functionally 
capable- computer in order to restart the computer that is incapable 

10 of function. 

According to the present invention there is provided a computer 
system comprising at least two interconnected computing units, signal pro- 
viding means for providing an initialising reset pulse to initialise 
each computing unit, fault recognition means for recognition of faulty 
15 states of the computing units and for causing any such unit recognised 
as faulty to be restarted by a reset signal, and additional signal pro- 
viding means for delivering a reset signal independent of the initialis- 
ing reset signal to at least one of the computing units. 

A system embodying the invention may have the advantage that, in 
20 the case of failure of the signal providing means producing the initial- 
ising reset pulse, an orderly putting into operation of the computer 
system is made possible by additional signal providing means independent 
of the first-mentioned signal providing means. A faulty putting into 
operation, and consequently a state critical to safety, may thereby 
25 be able to be effectively avoided. 

The additional signal providing means may be able to be realised 
in simple manner at favourable cost in connection with monitoring 
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processors, which are known from the state of the art. 

An embodiment of the present invention will now be more particularly 
described with reference to the accompanying drawings, 1n which: 
F1g. 1 is a block circuit diagram of a two-computer system 

embodying the invention; 
Fig. 2 is a flow chart showing the interplay of computer- 

monitoring and additional reset unit in the computer 
system of Fig. 1 when put into operation; and 
Fig. 3 is a circuit diagram of a preferred form of additional 

reset unit in the computer system. 
Referring now to the drawings, there is shown in Fig. 1 a two- 
computer system which serves for the control of certain functions in 
a motor vehicle. For example, the system can be used in safety equip- 
ment such as an air bag or a belt tightener or for the control and/or 
15 regulation of operational parameters of the vehicle engine, such as 
electronic engine power control. 

The two computer units 10 and 20 are connected together by way 
of a line system 30, which can comprise data lines, address lines and/or 
control lines. The line system 30 serves for the exchange of data, 
20 addresses and/or control or check signals, by means of which the 

communication between the two units is controlled. The computing units 
10 and 20 are equipped with so-called watch dog units 12 and 22. The 
two units 12 and 22 are connected to each other by way of two lines 
32 and 33, wherein the line 32 carries the signal produced by the unit 
25 12 and the line 33 carries that produced by the unit 22. 

The connecting line 32 is also connected, by way of a circuit unit 
34, to a first input of an interlinking stage 36. This interlinking 
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stage 36, which corresponds to a logic OR function, is connected at 
a second input with an output 37 of the computing unit 10. An output 
line 38 of the interlinking stage 36 is connected to a first Input of 
a second interlinking stage 40, a second input of which is linked by 
way of a line 41 with a circuit device 42 for the formation of a reset 
or initialising pulse. An output line 43 of the interlinking- stage 
40, which also carries out a logic OR-function, is led to an input 44 
of the computing unit 20. 

In analogous manner, the connecting line 33 is connected by way 
of a circuit unit 46 to a first input of a third interlinking stage 
48, a second input of which is linked with an output 50 of the computing 
unit 20. An output line 52 of the interlinking stage 48 is led to a 
first input 54 of a unit 56 for the formation of an independent reset 
pulse. The unit 56 is connected at a second input 58 thereof by way 
15 of the line 41 with the unit 42. A third input 60 of the., unit 56 is 
connected to a line 62 which forms the input line of the unit 42 and 
carries the supply voltage of the system. An output 64 of the unit 
55 is connected to a reset input 66 of the computing unit 10. 

In operation of the system illustrated in Fig. 1, the unit 42, 
in dependence on the supply voltage value fed to it by way of the line 
62, forms a pulse signal which by way of the line 41 resets the interlink- 
ing stage 40, which 1n turn resets the computing unit 20 by way of the 
line 43 and reset input 44. Such a reset pulse occurs as, for example, 
an initialising pulse on putting the system into operation. The reset 
25 pulse is furthermore applied by way of the input 58 and output line 

64 of the unit 56 to the reset input 66 of the computing unit 10. The 
computing unit 10 is started at the same time as the computing unit 
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20 in the operating condition described above. In the described 
embodiment, the computers are preferably reset by a positive "high- 
signal. In the initialising case, the outputs 12, 37 or 22, 50 carry 
"low" potential . 

A mutual monitoring of functional capability of the two computers 
is performed in accordance with the method described in DE-OS" 37 26 489. 
A first monitoring path is represented by the cyclic data exchange 
operated in a fixed time raster. One of the computing units 10 or 20 
in that case expects a data request of the respective other unit by 
way of the line system 30 within a fixed time raster. The computing 
unit expressing the data request thereupon expects a data transmission 
from the respective other computing unit. If either of these reactions 
is absent, the respective computing unit is recognised as faulty. In 
that case, the functionally capable computing unit, by way of its restart 
15 output (the output 37 in the case of the unit 10 and the output 50 in 
the case of the unit 20) restarts the faulty unit. The computing unit 
10 - in the case of a faulty function of the computing unit 20 - then 
sends a reset pulse by way of the interlinking stages 36 and 40 to the 
reset input 44. Conversely, the computing unit 20 - if it is the computing 
unit 10 that is faulty - sends a reset pulse by way of the interlinking 
stage 48 and the unit 56 to the reset input 66 of the unit 10. The 
successful start of the faulty computing unit can be performed by means 
of the afore-described data protocol or by means of the watch dog monitor- 
ing arrangement described below. 

In particular, a further monitoring path is represented by the 
mutual exchange of watch dog check signals between the two computing 
units, in that case, a check signal is delivered from the unit 12 by 
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way of the line 32 to the unit 22 of the computing unit 20, which 
evaluates this and, by reference to the signal shape and/or height, 
ascertains the functional capability of the computing unit 10. 
Analogously, a similar check signal is delivered from the unit 22 by 
5 way of the line 33 to the unit 12 of the computing unit 10 and evaluated 
therein. The lines 32 and 33 are connected with the respective units 
34 and 46, which evaluate the check signal and feed a reset pulse by 
way of the interlinking stages 36 and 40 to the reset Input 44 of the 
unit 20 in the case of a fault in the unit 10 and by way of the inter- 
10 linking line 48 and the unit 56 to the reset Input 66 of the unit 10 

in the case of a fault in the unit 20. Subsequently thereto, the faulty 
computing unit is restarted by the respective other computing unit. 
The interlinking stages 36, 40 and 48 are 1n that case constructed to 
provide logic OR-interl inking in order to achieve an equal authority 
15 of the reset pulses of the unit 42 by reason of a faulty watch do.g signal 
or by reason of a new start signal. 

The unit 56, of which an example is shown in Fig. 3, essentially 
consists of a logic 0R-1nterl inking device 70, which ensures equal 
authority between the reset signal supplied from the interlinking stage 
20 48 by way of the connecting line 52 to the input 54 and the reset signal 
fed in the fault-free state from the unit 42 by way of the line 41 to 
the input 58. Moreover, a pulse-forming state 72 is a component of 
the unit 56. The output of the device 70, and the supply voltage signal 
on the line 62, are fed to the stage 72, the output signal of which 
25 1s issued at the output 64 of the unit 56 and applied to the reset input 
66 of the computing unit 10. 

The pulse-forming stage 72 can, in a preferred embodiment, be a 
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differentiating element. If the unit 42 fails when put into operation, 
the unit 72 serves for formation of a reset signal from the supply voltage 
signal fed by way of the line 62. When the system is put into operation, 
the unit 72 supplies a reset pulse to the reset input 66 of the computing • 
5 unit 10, which pulse initialises and starts the latter. By means of 

the afore-described monitoring paths, the computing unit 10 can recognise 
a faulty function of the unit 20 and restart this by feeding a reset 
signal from its output 37 to the reset input 44 when a faulty function 
of the unit 20 has been recognised. Consequently, an orderly initialis- 
10 ation of the system operation is ensured even in the case of failure 
of the unit 42. 

The mutual monitoring arrangement described above is also applicable 
to multi-computer systems and it is also possible that the unit 56 is 
associated with the computing unit 20. 

In F.1g. 2 there is shown a flow chart illustrating the sequence 
in the computing unit 10, which is associated with the unit 56, when 
the computer system is being put into operation. In step 100, the 
respective computing unit is initialised by reset pulses. In the fault- 
free operational case, this is effected by the initialising pulse supplied 
by the unit 42. If this is defective, the unit 56 supplies an additional 
pulse to the unit 10. In the interrogation block 102, the functional 
capability of the second computing unit 20, which is not associated 
with the unit 56, in the two-computer system is checked. If it is found 
to be functionally capable, it can be concluded that an orderly putting 
into operation has taken place and the normal operation of the computer 
system is ascertained in block 110. If the other computing unit however 
operates in faulty manner, this is reset according to block 104 by the 
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computing unit started in orderly manner. In step 106, the orderly 
mode of operation of the newly started computing unit is checked and 
an orderly start of the system is ascertained in the block 110 in case 
of an orderly mode of operation of that unit. If, however, the newly 
5 started computing unit operates in faulty manner, this computing unit 
is recognised as faulty and switched off in step 108. 

Fig. 3 shows a possible form of construction of the unit 56. The 
reference numerals, used 1n Fig. 1, for the inputs and outputs of the 
unit 56, have been retained in that case. A simple construction with 
10 favourable costs consist of two diodes, a resistor and a capacitor. 

In particular, the input 54, at which a signal may be present by reason 
of a faulty watch dog signal or a new start signal of the respective 
other computer, is connected to the anode of a diode 200. The cathode 
thereof is linked with an Interlinking point 202. The input 58, at 
15 which the initialising or reset pulse of the unit 42 may be present, 
is connected to the anode of a second diode 204, the cathode of which 
is also connected with the interlinking point 202. The two diodes in 
that case provide the logic OR-interl inking described further above, 
wherein the two signals present at the inputs 54 and 58 are passed on 
20 with equal authority to the output 64, which 1s connected directly with 
the interlinking point 202. Also connected to the Interlinking point 
202 Is one terminal of a capacitor, the other terminal of which is 
connected with the input 60 of the unit 56. A resistor 208 connects 
the interlinking point 202 to ground. 
25 When the computer system is placed in operation, a corresponding 

voltage signal is present at the input 60 of the unit 56. The capacitor 
206 is charged up in accordance with the change in the voltage signal, 
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so that the capacitor voltage assumes an exponential course. The 
temporal change in the capacitor voltage leads to a corresponding Inverse 
temporal change of the potential course at the interlinking point 202. 
This potential course represents a pulse-shaped "high" signal with a 
steep edge and an edge falling in correspondence with the rising course 
of the capacitor voltage. The pulse signal formed in this manner is 
present at the output 64 of the unit 56 and 1s fed to the reset input 
of the associated computing unit, whereupon this is reset. In this 
manner, an orderly start of the computer system is ensured independently 

of the signal of the unit 42. 

The monitoring arrangement described above can in principle also 
find application in the case of undervoltages. 
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6. A computer system as claimed in any one of the preceding claims, 

the additional signal providing means comprising a differentiating device. 

7. A computer system as claimed in claim 6, wherein the differentiating 
device comprises a resistance-capacitance element. 

5 8. A computer system substantially as hereinbefore described with 
reference to the accompanying drawings. 
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